eslint — Greenflagged

An AST-based pattern checker for JavaScript.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

openjsfoundationeslintbot

Keywords

astlintjavascriptecmascriptespree

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:lib/util/unicode/is-combining-character.js	AI (source-diff): Generated Unicode combining character data file — a dense integer array, not obfuscated malware. Explicitly labeled as auto-generated by tools/update-unicode-utils.js. Stable false positive for ESLint.	ai	2026/04/22
source-diff	net-exec-file:lib/util/ast-utils.js	AI (source-diff): lib/util/ast-utils.js is a core ESLint AST utility file with no actual network calls or malicious code execution — only standard require() and AST pattern matching. False positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:handlebars	AI (dependencies): handlebars ^4.0.0 is a stable, widely-used template engine; appropriate for eslint's config generation.	ai	2026/04/22
source-diff	obfuscated-file:lib/util/patterns/letters.js	AI (source-diff): File is a machine-generated Unicode letter regex using the `regenerate` library, explicitly documented as such in the file header. Long lines are inherent to this generation approach, not obfuscation.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): ivolodin (Ilya Volodin) is a long-standing ESLint core team member with 181 approved packages. Multi-maintainer releases are normal for the ESLint project.	ai	2026/04/22
provenance	missing-githead	AI (provenance): eslint 2.0.0 is a major release from the canonical publisher; missing gitHead is consistent with a changed publish workflow for a major version and is not a malware signal for this well-established package.	ai	2026/04/22
semgrep	semgrep:child-process-import	AI (semgrep): child_process is legitimately used in config-initializer for CLI tool initialization; stable pattern for eslint.	ai	2026/04/22
phantom-deps	phantom-dep:estraverse	AI (phantom-deps): estraverse is explicitly declared as a runtime dependency in package.json; the phantom-dep finding is a false positive for this package.	ai	2026/04/22
source-diff	source-size-tripled	AI (source-diff): ESLint is a large, actively developed linting tool. Early versions grew rapidly as rules and infrastructure were added. Size increases reflect legitimate feature growth, not injected payloads.	ai	2026/04/22
dependencies	unvetted-dep:cssauron-esprima	AI (dependencies): cssauron-esprima is a small, specialized esprima wrapper; pinned to 0.0.1 and appropriate for eslint's AST analysis needs.	ai	2026/04/22
source-diff	net-exec-file:lib/types/rules.d.ts	AI (source-diff): lib/types/rules.d.ts is a TypeScript declaration file with only type definitions; no actual network calls or code execution. The analyzer false-positived on type signatures in a .d.ts file.	ai	2026/04/22
source-diff	obfuscated-file:lib/rules/utils/patterns/letters.js	AI (source-diff): Generated Unicode regex pattern with documented provenance from JSCS/regenerate tooling; long lines are the pattern itself, not obfuscation.	ai	2026/04/22
phantom-deps	phantom-dep:@types/json-schema	AI (phantom-deps): TypeScript type packages are loaded by convention; acceptable for a tool providing type definitions.	ai	2026/04/22
source-diff	net-exec-file:lib/types/rules/best-practices.d.ts	AI (source-diff): File is a TypeScript definition extracted from @types/eslint; contains only type declarations and MIT license header, no executable code or network calls.	ai	2026/04/22
dependencies	unvetted-dep:@nodelib/fs.walk	AI (dependencies): Established filesystem utility; appropriate for eslint's file-walking operations.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): OpenJS Foundation addition reflects ESLint's documented governance transition; legitimate organizational change.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of prior maintainers is consistent with OpenJS Foundation takeover; not a compromise signal.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): 75 new source files expected for a v7→v10 major version jump including new flat config system, TypeScript types, and rule refactoring.	ai	2026/04/21
publish-pattern	dormant-publish	AI (publish-pattern): Apparent dormancy is an artifact of the registry's last approved version being v7.32.0; ESLint published v8.x and v9.x continuously. Not actual inactivity.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): @eslint/config-array is an internal eslint package; new dependency is legitimate for this major version.	ai	2026/04/21
phantom-deps	phantom-dep:import-fresh	AI (phantom-deps): Normal pattern for config loaders; referenced in config files, not directly imported.	ai	2026/04/21
phantom-deps	phantom-dep:strip-json-comments	AI (phantom-deps): Normal pattern for config loaders; referenced in config files, not directly imported.	ai	2026/04/21
dependencies	unvetted-dep:v8-compile-cache	AI (dependencies): v8-compile-cache is a well-known performance optimization package used by eslint; legitimate and stable dependency.	ai	2026/04/21
dependencies	unvetted-dep:@eslint/eslintrc	AI (dependencies): @eslint/eslintrc is an official eslint org package for config handling; legitimate and stable dependency.	ai	2026/04/21
dependencies	unvetted-dep:eslint-utils	AI (dependencies): eslint-utils is a core eslint ecosystem utility package; legitimate and stable dependency.	ai	2026/04/21
dependencies	unvetted-dep:regexpp	AI (dependencies): regexpp is a well-known regex parser used by eslint for rule analysis; legitimate and stable dependency.	ai	2026/04/21
dependencies	unvetted-dep:table	AI (dependencies): table is a well-known, legitimate runtime dependency of eslint used for formatting output; stable across eslint versions.	ai	2026/04/21
dependencies	unvetted-dep:functional-red-black-tree	AI (dependencies): functional-red-black-tree is a well-known data structure package used by eslint; legitimate and stable dependency.	ai	2026/04/21
dependencies	unvetted-dep:@humanwhocodes/config-array	AI (dependencies): @humanwhocodes/config-array is authored by eslint's creator Nicholas Zakas and is a legitimate eslint dependency; stable for this package.	ai	2026/04/21
phantom-deps	phantom-dep:@types/estree	AI (phantom-deps): TypeScript type packages are loaded by convention; acceptable for a tool providing type definitions.	ai	2026/04/21
semgrep	semgrep:dynamic-require	AI (semgrep): Loads internal message templates from fixed directory; template name from error objects, not user input.	ai	2026/04/21
provenance	no-provenance	AI (provenance): ESLint is a well-established package with a known publisher and repository. Lack of Sigstore provenance is not a meaningful risk signal here.	ai	2026/04/21

Versions (showing 56 of 356)

Hide prereleases

Version	Deps	Published
0.20.0	19 / 22	2015-04-24
0.19.0	19 / 22	2015-04-11
0.18.0	19 / 21	2015-03-28
0.17.1	19 / 21	2015-03-18
0.17.0	19 / 21	2015-03-14
0.16.2	19 / 21	2015-03-11
0.16.1	19 / 21	2015-03-08
0.16.0	19 / 21	2015-03-07
0.15.1	19 / 21	2015-02-26
0.15.0	19 / 21	2015-02-21
0.14.1	19 / 21	2015-02-08
0.14.0	19 / 21	2015-02-07
0.13.0	19 / 20	2015-01-24
0.12.0	18 / 19	2015-01-17
0.11.0	17 / 19	2014-12-30
0.10.2	16 / 19	2014-12-12
0.10.1	16 / 19	2014-12-06
0.10.0	16 / 19	2014-11-27
0.9.2	16 / 17	2014-11-01
0.9.1	16 / 16	2014-10-25
0.9.0	16 / 16	2014-10-24
0.8.2	15 / 16	2014-09-20
0.8.1	14 / 17	2014-09-10
0.8.0	14 / 17	2014-09-05
0.7.4	13 / 17	2014-07-10
0.7.3	13 / 17	2014-07-09
0.7.2	13 / 17	2014-07-08
0.7.1	13 / 17	2014-07-07
0.6.2	11 / 15	2014-05-23
0.6.1	11 / 15	2014-05-17
0.6.0	11 / 15	2014-05-17
0.5.1	11 / 15	2014-04-17
0.5.0	11 / 15	2014-04-10
0.4.5	10 / 15	2014-03-29
0.4.4	10 / 15	2014-03-25
0.4.3	10 / 14	2014-03-19
0.4.2	10 / 14	2014-03-04
0.4.1	10 / 14	2014-02-27
0.4.0	10 / 14	2014-02-12
0.3.0	8 / 10	2014-01-20
0.2.0	4 / 8	2014-01-01
0.1.4	4 / 8	2013-12-06
0.1.3	4 / 12	2013-11-26
0.1.2	4 / 14	2013-11-24
0.1.1	5 / 5	2013-11-10
0.1.0	5 / 5	2013-11-04
0.0.7	4 / 4	2013-07-22
0.0.6	4 / 4	2013-07-17
0.0.5	4 / 4	2013-07-06
0.0.4	4 / 4	2013-07-04
10.0.0-rc.2	30 / 59	2026-01-27
10.0.0-rc.1	30 / 59	2026-01-23
10.0.0-rc.0	30 / 59	2026-01-09
10.0.0-beta.0	30 / 59	2025-12-12
10.0.0-alpha.1	31 / 59	2025-11-28
10.0.0-alpha.0	31 / 59	2025-11-14